JFrog Security's research team identified two denial of service vulnerabilities, CVE-2021-37136 and CVE-2021-37137, in the Netty framework, which are present in versions 4.1.0 through 4.1.67. These vulnerabilities affect applications using Netty for decompressing user-supplied Bzip2 or Snappy data streams, potentially allowing attackers to exploit the Bzip2 decoder to create a "zip bomb" that exhausts system memory and crashes processes. The issue arises from the decoder's behavior of attempting to decompress an entire file before adding it to the output buffer, leading to memory exhaustion. Netty addressed the vulnerability by updating to version 4.1.68, where the decoder function now returns after processing each chunk, thus preventing the issue. JFrog's testing confirmed that the fix successfully prevents the exploit without requiring additional user interventions, and they expressed gratitude to the Netty maintainers for their prompt resolution.